Security Experts Comments – British Airways Data Breach

In response to the news that British Airways has launched an “urgent” investigation and notified police after hundreds of thousands of customers’ personal and financial details were stolen, IT security experts commented below.

“After a large scale incident like this, fraudsters from around the world will inevitably jump at the chance to try and catch a few unsuspecting people out. If you receive any emails purporting to be from this incident or such like mentioning it asking for any personal information or to click on unverified links, discard them.

If your data is included in this breach, you’ll need to take action to protect yourself. If you find your credit or debit card has been compromised consider the following:

Call your bank or card issuer, cancel the card and request a new card. No bank will ever mind being contacted for you being cautious.

You’ll also want to check your card statements for suspicious activity or purchases online – in particular small amounts just in case they are testing your card before a larger transaction is placed online. It also might be worth adding extra fraud alert security on your account.

And it goes without saying change your compassword. After any breach of such velocity, it is always a good idea to change your passwords along with the same ones used on other websites.”

“In what appears to be the second breach of travelers’ information in as many weeks, British Airways announced today that personal and financial details of 380,000 customers making bookings had been compromised. This follows on the heels of a breach of the mobile app from Air Canada just last week. As part of the breach, BA stated that travel and passport details were not stolen.

it is heartening to note that BA is working with those individuals whose card payment information was breached as well as working with authorities all seemingly aligned to the recently enacted GDPR regulation.

While it’s far too early to tell how this latest breach occurred, usually these types of cybercrimes are the result of poorly managed privileged accounts which are the accounts that have access to most, if not all, IT systems. Protecting these accounts is perhaps the single most important security step any organization can take followed closely by multi-factor authentication and access governance.”

“Like any website which sees large volumes of card transactions, British Airways is a ripe target for hackers. Stealing data en masse in this way can be hugely profitable for the criminal underground. It is now a race between British Airways and the criminal underground. One will be figuring out which cards have been compromised and alerting victims, whilst the other will be trying to abuse them while they are still fresh.

“Anyone who transacted with the company between these dates should keep a close eye out for malicious transactions. They should also consider changing passwords for any other online services which share the same login details as their BA account.”

“Organisations like BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers high return on investment.

“Yet, every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.

“Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in IoT appliances coming onto the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow, and a priority for security teams will be to reduce the time to detect, contain and mitigate breaches. This is a key strategy given malicious actors are now very skilled in delivering multi-layered attacks using diversion techniques. The only way to go about this is applying emerging technologies like predictive analytics with techniques such as machine learning and modelling as another layer of the already complex security stack. As the saying goes, it’s always better to err on the side of caution.”

“The fact that this attack was an exploitation of vulnerabilities on BA’s website and app gives us a picture of how this data breach occurred. Web applications are notoriously vulnerable to attacks, with our recent report finding that 44% of web applications leaving users’ data at risk of theft and 100% of web apps containing and least one vulnerability. This event is a case study example of why web app security and preventing access to data is so crucial. The data at risk can be incredibly valuable for hackers, so the incentive to compromise sensitive customer information is high. It is crucial that companies monitor their web application, and patch vulnerabilities immediately.

“Once hackers have hold of high value data like card details, the market in criminal networks for reselling is huge, meaning that we may not see the effects of this theft immediately until a buyer acts. The best thing to do for anyone who thinks their details may have been involved, or who has been told so by BA, should keep an eye on their transactions. Consider cancelling the effected bank card and request a replacement for peace of mind.”

“With financial details stolen and the hack undiscovered for so long, this breach carries a high financial risk for British Airways customers. Customers who bought tickets in the time period of the hack (21st August – 5th September) need to act fast, notifying their banks and checking their statements to make sure there has been no suspicious activity on their accounts. They should also change their password for British Airways, and any other accounts that use the same credentials. Criminals will try to exploit customers in the aftermath of the hack, so customers should be especially wary of scam emails that use credentials that could have been taken from this breach over the next few months.

“As well as its customers, the hack will have major effects for British Airways. Shares in BA’s owner IAG are down 3.1 percent already, and the company has come under firm criticism from customers, and may be liable for the financial claims. Perhaps most significantly, this is one of the first major breaches since GDPR came into effect in May. It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours, but the breach will now be investigated and the company could be penalised if it failed to take all the necessary measures to protect customer data.”

“Bad news for BA and for the airline’s frequent flyers – many will likely have been caught up in the breach window. Currently, it seems only cards used to make a booking – rather than those stored on BA’s systems – were compromised, suggesting the attackers intercepted transactions rather than targeting a database of stored credit card details. The travel industry in general has been slow to wake up to the challenges of information security, but severe IT incidents do seem to be stacking up for BA. The ICO has been notified, but as BA has been quick to communicate – and likely took all reasonable steps to protect its customers’ data – BA is unlikely to be fined under the new regulation. Beyond that, in the absence of a legal requirement for directors to take responsibility, ultimately it will be up to the shareholders to decide if the board has done enough to protect the company.

“They need to start asking questions. From a security perspective, no organisation will stand up and say it can’t be breached – controls to prevent a breach are inherently flawed. Monitoring has to be the answer. Companies like BA need to detect a breach not weeks or months after it happens, but before a situation like this is allowed to develop. There has been a lot of development in monitoring capabilities recently, but organisations also need to look at their operational security processes to ensure they are fit for purpose. BA clearly has some work to do on this.”

“With the breaking news this morning that BA has been hacked, it poses a number of questions. Firstly, in the era of GDPR, will we see a substantial fine levied on the company? While there have been a number of breaches since the legislation has been enforced earlier this year, this is one where they have admitted what has happened and the fact it tick all the boxes when it comes to personal data being compromised.

“The good news is that the breach was picked up relatively quickly and BA has systems in place such that they could narrow down both how it happened and who was effected. Unlike the TalkTalk incident where the numbers impacted changed on a regular basis, the BA team appear to have done their due diligence on the event quickly and efficiently. As with all mobile apps, there will be a long hard look at how the compromise could have occurred, was it the app, or was it the back-end system which lead to the compromise, or a mixture of both, with the attack purporting to be the app but being able to manipulate the requests and therefore the responses.”

“Data loss, data theft, data breach – these phrases are now part and parcel of the daily news agenda. My guess is that British Airwayshadn’t deployed encryption technology across all its platforms and environments. It’s well known that data residing anywhere in a company’s increasingly complex environment is at risk unless there is a standardised ubiquitous encryption platform in place. When did we last read an article about a data compromise or breach which is then followed up with ‘but don’t worry as the data was encrypted’. Falling victim to cyber criminals is the new normal, and all organisations need to take precautions to protect sensitive information should they become the victim of an attack. For many passengers I suspect British Airways isn’t the world’s favourite airline right now.”

“Typically, large data leaks are caused by malicious internal parties or malicious external parties that have compromised someone on the inside. In both cases, the insider could also be at a third party supplier. It is therefore important for companies to focus data protection programmes not only on their own infrastructure, but also on third party suppliers. The incident serves as a reminder to all organisations to have a good understanding of critical assets (in this case credit card numbers) and how this information is used across all business units and operations. One way to ensure this is to put in place one consistent data protection policy across all parties that come into contact with these critical assets. This includes auditing third parties to ensure they have equivalent levels of protection.”

“The attack on BA’s website happened over a 15-day period so it’s likely the criminals were stealthily exploring BA’s site and systems for vulnerabilities that they could exploit.

“Although it’s not yet clear exactly how the data was stolen, it’s likely the theft could have been prevented with the use of web application firewalling, which inspects and filters traffic on websites, and prevents commonly-used attacks such as SQL injection and cross-site scripting. It seems that BA may not have had this protection in place, or it wasn’t configured correctly – but the result is the largest data breach in the UK since GDPR came into effect, which could have further ramifications for BA.”

“BA customers who think they may have been affected should closely monitor their bank accounts, and also be wary of follow-up emails about the breach as scammers often prey on peoples’ concerns to try and harvest more data.”

“In incidents like this, organisations must be forthcoming with information and advice to affected customers on what the breach means for them and how they can protect their personal information and payment details. So we welcome the prompt reaction from BritishAirways, which has contacted impacted customers and spoke with the media.

Accountability and transparency are two of the core principles of GDPR, which means British Airways has a duty to ensure their customer data is always secure. They need to show that they have done everything possible to ensure such a breach won’t happen again.

The risks go far beyond the fines regulators can issue – all be it that these could be hefty under the new GDPR regime. The long-term effects on customer trust, share price and public perception could have more lasting damage to the brand.”

“This is not the whole story. Air Canada was hacked and between August 22 and August 24 customer’s passport details may have been compromised. The overlapping dates are probably a blessing as the odds are small that the same customers booked both airlines in the two day window of overlap.

In the case of Air Canada’s breach, customer’s data potentially including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence may have been compromised. In both cases, this is data that now may be available to cybercriminals to aggregate and correlate to build significantly comprehensive profiles.

A commonality of the breaches is that they both affected mobile app users. While no mention was made of iOS or Android, the security of mobile apps financial, especially on Android is questionable at best. Although great efforts are made to secure the mobile apps, credential theft is not uncommon. In this case, mobile access from a “trusted” device from an expected location can defeat certain types of heuristics that otherwise would have raised alarm. The wisdom of conducting financial transactions on an Android device in particular, is of question. Mobile security products can be used to help prevent malicious apps from compromising devices. If a consumer chooses to conduct financial transactions on a mobile device, the additional security is effectively mandatory.

While BA has assured the public that the affected customers will be notified, we often see the estimated number of affected individuals grow over time. It is probably best for all of the customers who booked during this time frame to talk to their banks and set up 2 factor authentication.”

“GDPR has placed us in a world where disclosure of data breaches are likely to occur before the full details of the attack are known. On the positive side, companies are highly incented to improve the level of security monitoring they perform. While to the travelling public, a two week window under which the attack wasn’t properly identified as such is alarming, the reality is that absent regulations like GDPR such incidents could go undisclosed for significantly longer. It is my hope that while we see an increase in disclosures in the near term, as organisations improve their software and system security measures a marked decline in successful attacks will ensue.”

“The British Airways breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone. Collectively, this is a blow to our privacy and British Airways joins a growing list of organisations that have faced a knock down punch. For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”

“BA’s reaction is very fast. The company’s transparency and frankness serve as a good example to other companies who are prone to minimizing the consequences. It is, however, too early to make any definitive conclusions prior to a holistic technical investigation of the breach and its origins.

Shadow IT and legacy applications are a plague of today. Large organizations have so many intertwined websites, web services and mobile apps that they often forget about considerable part of them. On the other side, cybercriminals are very proactive, and as soon as a new vulnerability is discovered in a popular CMS they start exploiting it in the wild. Obviously, abandoned systems remain unpatched for years and serve a perfect prey to the attackers.

Web applications are the Achilles’ heel of modern companies and organizations. Lawmakers make their lives even more complicated, as for example with GDPR, many organizations had to temporarily give up their practical cybersecurity and concentrate all their efforts on paper-based compliance. New cybersecurity regulations may do more harm than benefit for the society if improperly imposed or implemented.”

Tim Erlin, Vice President of Product Management and Strategy at Tripwire:

“As is usually the case, there will be more details about the cause of the breach as time passes. It’s unfortunate that payment card details appear to have been compromised in this incident. That will increase the impact on consumers. This may prove to be an important test of the recently implemented GDPR.”